Why a strong password doesn't help as much as a unique one

While it's important to have a well-chosen password to avoid it being cracked, unique passwords for every site and service are critical.

A strong password resists cracking at sites that have taken at least basic measures to obscure them. But unique passwords let you ensure that one breach doesn't expose you everywhere.

Like a snowflake

A weak password protected strongly is as powerful as a strong password. A strong password that's revealed by an engineering or design fault is as weak as one chosen badly.

When you pick a strong password and use it in multiple places, you're relying that each site or service with which it's paired has a well-designed process to prevent interception on its side or in transit. And that it's chosen the right methods to take your password and store it as an encrypted output, known as a hash.

If you use the same strong password everywhere, any single breach in which it's revealed that a company didn't protect password entry or storage well exposes you at every other site. The way around this is to create strong, unique passwords you don't need to memorize with software like 1Password, LastPass, or several other password-management apps. One exposure therefore exposes, at worst, access to one site.

There are some staggeringly positive examples of sites mitigating password theft. LastPass had an account information breach, but assuming that their description and implementation of how they stored passwords is correct, there is nearly zero chance that passwords from its users will be recovered in bulk. A targeted individual, combined with the password hints that LastPass stored, might be cracked before they can change her or his password, but brute force against all passwords will fail.

I just worked with one outfit for which I do some programming to migrate from an older to newer encrypted-storage methodology, prompted by an update to one module they're using that allows for better methods. The old storage was fine, and the site has no personal or payment information. But if registered site visitors use the same password elsewhere, then we face the problem described above in the event of a breach. The upgrade makes it impossible for a cracker who uses brute force on one stored password to use the same results to match identical plain-text passwords in other accounts. (The system uses salting, a random value added to a password, on top of hashing. The salt prevents two identical passwords from producing the same stored result.)

I know it sounds awful and dangerous to have unique passwords that you aren't memorizing. But it's more dangerous to have one strong one. I use 1Password, and I store my database of password in Dropbox. 1Password always leaves the database encrypted, and decrypts in its client software using the same technique employed by LastPass in its clients and on its server that create so much "work" (computational burden) that someone acquiring my password cache would take years or decades of dedicated work to crack.